Security
Sidona is built for firms handling sensitive bid materials, proprietary pricing, and government tender documents. This page summarizes how we protect your data — technically, operationally, and contractually.
Last updated: June 4, 2026
Security at a Glance
Encryption Everywhere
TLS in transit and AES-256 (or equivalent) at rest for customer data, deal rooms, and uploaded bid materials.
Canadian Data Residency
Primary storage and processing in Canada. Third-party providers are selected for equivalent protection standards.
Private AI Processing
Your tender documents and organizational knowledge are not used to train public foundation models.
Enterprise Authentication
Secure sign-in via Clerk. Enterprise plans support SSO (SAML) and role-based team access.
Least-Privilege Access
Internal access to production systems is limited on a need-to-know basis with logging and monitoring.
SOC 2 Readiness
Controls and practices aligned with SOC 2 expectations as we scale enterprise and government-adjacent workloads.
1. Infrastructure & Data Protection
Sidona Inc. operates the Platform on modern cloud infrastructure with defense-in-depth controls designed for B2B SaaS and procurement workloads.
- Encryption of data in transit using industry-standard TLS.
- Encryption of data at rest using AES-256 or equivalent standards.
- Network segmentation and hardened production environments.
- Regular vulnerability scanning and security reviews of Platform infrastructure.
- Automated backups and disaster-recovery procedures for critical systems.
No method of transmission or storage is 100% secure. We implement commercially reasonable safeguards but cannot guarantee absolute security. See our Terms of Service for related limitations.
2. Data Residency & Sovereignty
Canadian public-sector buyers and contractors increasingly require that vendor data stay within Canada or under equivalent protections. Sidona stores and processes customer data on servers located in Canada.
Where subprocessors or AI infrastructure are involved, we take reasonable steps to ensure contractual and technical safeguards consistent with Canadian privacy law, including PIPEDA. Details on personal information handling are in our Privacy Policy.
3. AI & Document Confidentiality
Procurement teams upload RFPs, pricing models, past performance, and internal notes into deal rooms. We treat that content as confidential customer data.
- No public model training: Customer-uploaded tender documents and organizational knowledge bases are not used to train publicly available foundation models.
- Tenant isolation: Your workspace data is logically separated from other customers.
- Purpose limitation: AI processing is performed to deliver Platform features — parsing, Q&A, matching, and compliance extraction — not for unrelated purposes.
4. Access Control & Authentication
Account security is managed through industry-standard authentication. Enterprise customers can deploy additional controls for larger bid teams.
All plans
- Secure authentication and session management
- Password and account recovery best practices
- Activity logging on sensitive operations
Enterprise
- SSO (SAML) integration
- Role-based access for teams and deal rooms
- Dedicated support for security questionnaires
5. Public Procurement Data
Much of what Sidona aggregates — tender notices, award notices, and attached solicitation documents — is already published by governments for public access. We ingest from official federal, provincial, and municipal sources. Your private uploads, notes, and bid responses remain separate from this public corpus and are protected as customer data.
6. Incident Response & Breach Notification
Sidona maintains incident response procedures to detect, contain, and remediate security events. If we become aware of a breach affecting your personal information, we will notify affected users in accordance with applicable Canadian breach notification requirements, including PIPEDA.
To report a suspected security issue or vulnerability, contact us immediately via our Contact Page. Please include sufficient detail for our team to investigate.
7. Your Responsibilities
Security is a shared responsibility. You agree to:
- Keep account credentials confidential and use strong, unique passwords.
- Enable multi-factor authentication when available.
- Limit deal room access to authorized team members only.
- Report suspected unauthorized access promptly.
- Maintain up-to-date security software on devices used to access the Platform.
Security Inquiries
For security questionnaires, vendor due diligence, or enterprise compliance reviews, contact our team through the Contact Page. We respond to qualified procurement and IT security requests as capacity allows.
Related documents: Privacy Policy · Terms of Service · Cookie Policy